Skip to main content

Apache

2551 CVEs vendor

Monthly

CVE-2013-2154 HIGH PATCH This Week

Stack-based buffer overflow in the XML Signature Reference functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Buffer Overflow Denial Of Service Apache RCE Xml Security For C
NVD
CVSS 2.0
7.5
EPSS
1.7%
CVE-2013-2153 MEDIUM POC PATCH This Month

The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Apache Authentication Bypass Xml Security For C
NVD
CVSS 2.0
4.3
EPSS
0.8%
CVE-2013-2160 Maven MEDIUM POC PATCH THREAT This Month

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.3%.

Denial Of Service Apache Cxf
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
12.3%
CVE-2013-2136 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Physical network name to the Zone. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Cloudstack
NVD
CVSS 2.0
4.3
EPSS
6.7%
CVE-2012-5575 Maven MEDIUM PATCH This Month

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Cxf Jboss Enterprise Application Platform Jboss Enterprise Portal Platform +3
NVD
CVSS 2.0
6.4
EPSS
9.5%
CVE-2013-2250 CRITICAL PATCH Act Now

Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Ofbiz
NVD
CVSS 2.0
10.0
EPSS
5.9%
CVE-2013-2137 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Ofbiz
NVD
CVSS 2.0
4.3
EPSS
3.4%
CVE-2013-4156 MEDIUM This Month

Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Denial Of Service Apache Memory Corruption Openoffice
NVD
CVSS 2.0
6.8
EPSS
1.2%
CVE-2013-4131 MEDIUM This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Apache Subversion
NVD
CVSS 2.0
4.0
EPSS
0.7%
CVE-2013-2189 MEDIUM PATCH This Month

Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via invalid PLCF data in a DOC document file. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Denial Of Service Apache Memory Corruption Openoffice
NVD
CVSS 2.0
6.8
EPSS
1.2%
CVE-2013-2249 HIGH POC THREAT Act Now

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 43.7%.

Apache Information Disclosure Http Server Apache HTTP Server
NVD
CVSS 2.0
7.5
EPSS
43.7%
Threat
4.3
CVE-2013-4002 Maven HIGH PATCH This Week

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable.

Java Denial Of Service Apache Oracle IBM +14
NVD
CVSS 2.0
7.1
EPSS
5.6%
CVE-2013-2251 Maven CRITICAL POC KEV PATCH THREAT Act Now

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
94.3%
Threat
7.8
CVE-2013-2248 Maven MEDIUM POC PATCH THREAT This Month

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 92.0%.

Apache Open Redirect Struts
NVD Exploit-DB
CVSS 2.0
5.8
EPSS
92.0%
Threat
5.4
CVE-2013-1879 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Activemq
NVD
CVSS 2.0
4.3
EPSS
5.5%
CVE-2013-2135 Maven CRITICAL PATCH Act Now

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Epss exploitation probability 83.0%.

Code Injection Apache RCE Struts
NVD
CVSS 2.0
9.3
EPSS
83.0%
Threat
4.4
CVE-2013-2134 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.5%.

Code Injection Apache RCE Struts
NVD Exploit-DB
CVSS 2.0
9.3
EPSS
91.5%
Threat
6.1
CVE-2013-2765 MEDIUM POC PATCH This Month

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Apache Null Pointer Dereference Modsecurity Opensuse
NVD GitHub Exploit-DB
CVSS 2.0
5.0
EPSS
5.4%
CVE-2013-1777 Maven CRITICAL PATCH Act Now

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

IBM Code Injection Apache RCE Geronimo +1
NVD
CVSS 2.0
10.0
EPSS
8.3%
CVE-2013-1768 Maven HIGH PATCH Act Now

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.6%.

Deserialization Privilege Escalation Apache RCE Openjpa
NVD
CVSS 2.0
7.5
EPSS
14.6%
CVE-2013-1896 MEDIUM POC THREAT This Month

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 38.6%.

Denial Of Service Apache Http Server Jboss Enterprise Application Platform Enterprise Linux Desktop +7
NVD
CVSS 2.0
4.3
EPSS
38.6%
CVE-2013-2115 Maven HIGH POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 87.6%.

Code Injection Apache RCE Struts
NVD Exploit-DB
CVSS 3.1
8.1
EPSS
87.6%
Threat
5.7
CVE-2013-1966 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.1%.

Code Injection Apache RCE Struts
NVD Exploit-DB
CVSS 2.0
9.3
EPSS
91.1%
Threat
6.1
CVE-2013-1965 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.8%.

Code Injection Apache RCE Struts Struts2 Showcase
NVD
CVSS 2.0
9.3
EPSS
91.8%
Threat
6.1
CVE-2012-6573 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Apache Solr Autocomplete module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Apachesolr Autocomplete
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2013-1862 MEDIUM PATCH This Month

mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Epss exploitation probability 39.6%.

Apache Information Disclosure Http Server Jboss Enterprise Application Platform Enterprise Linux Desktop +7
NVD
CVSS 2.0
5.1
EPSS
39.6%
CVE-2013-2071 Maven LOW POC PATCH Monitor

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available.

Tomcat Apache Information Disclosure Java
NVD
CVSS 2.0
2.6
EPSS
8.4%
CVE-2013-2067 Maven MEDIUM PATCH This Month

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Epss exploitation probability 10.4%.

Tomcat Apache Java Authentication Bypass
NVD
CVSS 2.0
6.8
EPSS
10.4%
CVE-2012-3544 Maven MEDIUM PATCH This Month

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 44.8%.

Tomcat Denial Of Service Apache
NVD
CVSS 2.0
5.0
EPSS
44.8%
CVE-2013-0942 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Rsa Authentication Agent
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2013-0941 LOW Monitor

EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Apache Microsoft Information Disclosure Authentication Api Securid Web Agent +2
NVD
CVSS 2.0
2.1
EPSS
0.0%
CVE-2013-1884 MEDIUM POC THREAT This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 31.6%.

Buffer Overflow Denial Of Service Apache Subversion
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
31.6%
CVE-2013-1849 MEDIUM This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 15.3% and no vendor patch available.

Denial Of Service Apache Subversion
NVD
CVSS 2.0
4.3
EPSS
15.3%
CVE-2013-1847 MEDIUM POC THREAT This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 44.3%.

Denial Of Service Apache Subversion
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
44.3%
CVE-2013-1846 MEDIUM This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Apache Subversion Opensuse
NVD
CVSS 2.0
4.0
EPSS
1.9%
CVE-2013-1845 LOW Monitor

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Denial Of Service Apache Subversion Opensuse
NVD
CVSS 2.0
2.1
EPSS
1.8%
CVE-2013-3239 PHP MEDIUM POC PATCH THREAT This Month

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 12.3%.

PHP Code Injection Apache RCE Phpmyadmin
NVD GitHub Exploit-DB
CVSS 2.0
4.6
EPSS
12.3%
CVE-2013-1088 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Novell iManager 2.7 before SP6 Patch 1 allows remote attackers to hijack the authentication of arbitrary users by leveraging improper request. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat Imanager
NVD
CVSS 2.0
6.8
EPSS
0.3%
CVE-2013-3060 Maven MEDIUM PATCH This Month

The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Denial Of Service Apache Authentication Bypass Activemq
NVD
CVSS 2.0
6.4
EPSS
1.0%
CVE-2012-6551 Maven MEDIUM PATCH This Month

The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Activemq
NVD
CVSS 2.0
5.0
EPSS
8.4%
CVE-2012-6092 Maven MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache Java XSS Activemq
NVD
CVSS 2.0
4.3
EPSS
2.6%
CVE-2013-0253 MEDIUM PATCH This Month

The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Information Disclosure Maven
NVD
CVSS 2.0
5.8
EPSS
0.7%
CVE-2013-0966 MEDIUM This Month

The Apple mod_hfs_apple module for the Apache HTTP Server in Apple Mac OS X before 10.8.3 does not properly handle ignorable Unicode characters, which allows remote attackers to bypass intended. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Apple Authentication Bypass Mac Os X Mac Os X Server
NVD
CVSS 2.0
6.4
EPSS
0.2%
CVE-2013-0248 Maven LOW PATCH Monitor

The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary. Rated low severity (CVSS 3.3).

Privilege Escalation Apache Commons Fileupload
NVD
CVSS 2.0
3.3
EPSS
0.1%
CVE-2012-4460 MEDIUM PATCH This Month

The serializing/deserializing functions in the qpid::framing::Buffer class in Apache Qpid 0.20 and earlier allow remote attackers to cause a denial of service (assertion failure and daemon exit) via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Apache Qpid
NVD
CVSS 2.0
5.0
EPSS
3.6%
CVE-2012-4459 MEDIUM PATCH This Month

Integer overflow in the qpid::framing::Buffer::checkAvailable function in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (crash) via a crafted message, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Buffer Overflow Denial Of Service Apache Qpid
NVD
CVSS 2.0
5.0
EPSS
1.5%
CVE-2012-4458 MEDIUM PATCH This Month

The AMQP type decoder in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (memory consumption and server crash) via a large number of zero width elements in the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Qpid
NVD
CVSS 2.0
5.0
EPSS
2.5%
CVE-2012-4446 Maven MEDIUM PATCH This Month

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Qpid
NVD
CVSS 2.0
6.8
EPSS
0.4%
CVE-2013-1814 Maven MEDIUM POC PATCH THREAT This Month

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 83.0%.

Apache Information Disclosure Rave
NVD Exploit-DB
CVSS 2.0
4.0
EPSS
83.0%
Threat
4.8
CVE-2013-0239 Maven MEDIUM PATCH This Month

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Cxf
NVD
CVSS 2.0
5.0
EPSS
2.7%
CVE-2012-5633 Maven MEDIUM PATCH This Month

The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Cxf
NVD
CVSS 2.0
5.8
EPSS
1.8%
CVE-2013-1048 MEDIUM PATCH This Month

The Debian apache2ctl script in the apache2 package squeeze before 2.2.16-6+squeeze11, wheezy before 2.2.22-13, and sid before 2.2.22-13 for the Apache HTTP Server on Debian GNU/Linux does not. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity.

Privilege Escalation Apache Debian Apache2
NVD
CVSS 2.0
4.6
EPSS
0.1%
CVE-2012-4558 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 28.2% and no vendor patch available.

Apache XSS Http Server Apache HTTP Server
NVD
CVSS 2.0
4.3
EPSS
28.2%
CVE-2012-3499 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 10.3% and no vendor patch available.

Apache XSS Http Server Apache HTTP Server
NVD
CVSS 2.0
4.3
EPSS
10.3%
CVE-2012-5616 LOW Monitor

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1). Rated low severity (CVSS 1.5). No vendor patch available.

Citrix Apache Authentication Bypass Cloudstack Cloudplatform
NVD
CVSS 2.0
1.5
EPSS
0.1%
CVE-2012-2378 Maven MEDIUM PATCH This Month

Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Apache Cxf
NVD
CVSS 2.0
4.3
EPSS
4.2%
CVE-2012-4556 MEDIUM This Month

The token processing system (pki-tps) in Red Hat Certificate System (RHCS) before 8.1.3 allows remote attackers to cause a denial of service (Apache httpd web server child process restart) via. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Denial Of Service Apache Certificate System
NVD
CVSS 2.0
4.0
EPSS
0.4%
CVE-2012-4555 MEDIUM This Month

The token processing system (pki-tps) in Red Hat Certificate System (RHCS) before 8.1.3 does not properly handle interruptions of token format operations, which allows remote attackers to cause a. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Denial Of Service Apache Certificate System
NVD
CVSS 2.0
4.0
EPSS
0.4%
CVE-2012-2379 Maven CRITICAL PATCH Act Now

Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Cxf
NVD
CVSS 2.0
10.0
EPSS
3.8%
CVE-2012-4528 MEDIUM POC THREAT This Month

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 11.5%.

PHP Apache Authentication Bypass Modsecurity Opensuse +1
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
11.5%
CVE-2012-4534 LOW POC PATCH THREAT Monitor

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 22.8%.

Tomcat Denial Of Service Apache Java
NVD
CVSS 2.0
2.6
EPSS
22.8%
CVE-2012-4431 Maven MEDIUM PATCH This Month

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

CSRF Privilege Escalation Java Apache Tomcat
NVD
CVSS 2.0
4.3
EPSS
9.8%
CVE-2012-3546 Maven MEDIUM PATCH This Month

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat Privilege Escalation Apache Java
NVD
CVSS 2.0
4.3
EPSS
2.2%
CVE-2012-5568 MEDIUM POC THREAT This Month

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%.

Tomcat Denial Of Service Apache Opensuse
NVD
CVSS 2.0
5.0
EPSS
13.8%
CVE-2012-4557 MEDIUM POC PATCH THREAT This Month

The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.0%.

Denial Of Service Apache Http Server Apache HTTP Server
NVD
CVSS 2.0
5.0
EPSS
26.0%
CVE-2012-3513 CRITICAL POC Act Now

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Apache Munin
NVD
CVSS 2.0
9.3
EPSS
0.8%
CVE-2012-5887 Maven MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat
NVD
CVSS 2.0
5.0
EPSS
12.1%
CVE-2012-5886 Maven MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Tomcat Apache Authentication Bypass
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2012-5885 Maven MEDIUM PATCH This Month

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Privilege Escalation Apache
NVD
CVSS 2.0
5.0
EPSS
2.3%
CVE-2012-2733 MEDIUM This Month

java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 20.3% and no vendor patch available.

Tomcat Denial Of Service Apache Java
NVD
CVSS 2.0
5.0
EPSS
20.3%
CVE-2012-5786 MEDIUM This Month

The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not verify that the server hostname matches a domain name in the. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Apache RCE Cxf
NVD
CVSS 2.0
5.8
EPSS
0.1%
CVE-2012-5785 Maven MEDIUM POC PATCH This Month

Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Apache Information Disclosure Java Axis2
NVD
CVSS 2.0
5.8
EPSS
0.5%
CVE-2012-5784 Maven MEDIUM POC This Month

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products,. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Apache Information Disclosure Java Activemq Axis +3
NVD
CVSS 2.0
5.8
EPSS
1.6%
CVE-2012-5783 Maven MEDIUM PATCH This Month

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Information Disclosure Java Httpclient Ubuntu Linux
NVD
CVSS 2.0
5.8
EPSS
0.6%
CVE-2012-3446 PyPI MEDIUM POC PATCH This Month

Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Information Disclosure Libcloud
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2012-4501 CRITICAL Act Now

Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Citrix Cloudstack
NVD
CVSS 2.0
10.0
EPSS
2.7%
CVE-2012-3506 CRITICAL PATCH Act Now

Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Ofbiz
NVD
CVSS 2.0
10.0
EPSS
0.8%
CVE-2012-5351 Maven MEDIUM PATCH This Month

Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Axis2
NVD
CVSS 2.0
6.4
EPSS
0.3%
CVE-2012-4418 Maven MEDIUM POC PATCH This Month

Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack.". Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Apache Authentication Bypass Axis2
NVD
CVSS 2.0
5.8
EPSS
0.3%
CVE-2012-4063 MEDIUM This Month

The Apache Santuario configuration in Eucalyptus before 3.1.1 does not properly restrict applying XML Signature transforms to documents, which allows remote attackers to cause a denial of service via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Denial Of Service Apache Eucalyptus
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2012-2145 MEDIUM This Month

Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Apache Qpid
NVD
CVSS 2.0
5.0
EPSS
7.1%
CVE-2012-3451 Maven MEDIUM PATCH This Month

Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache Information Disclosure Cxf
NVD
CVSS 2.0
4.3
EPSS
10.0%
CVE-2012-3373 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Wicket
NVD
CVSS 2.0
4.3
EPSS
1.8%
CVE-2012-3908 MEDIUM This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the ISE Administrator user interface (aka the Apache Tomcat interface) on Cisco Identity Services Engine (ISE) 3300 series appliances. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat Cisco Identity Services Engine Software +1
NVD
CVSS 2.0
6.8
EPSS
0.1%
CVE-2012-4360 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the mod_pagespeed module 0.10.19.1 through 0.10.22.4 for the Apache HTTP Server allows remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Mod Pagespeed
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2012-4001 MEDIUM This Month

The mod_pagespeed module before 0.10.22.6 for the Apache HTTP Server does not properly verify its host name, which allows remote attackers to trigger HTTP requests to arbitrary hosts via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Mod Pagespeed
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2012-4387 Maven MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Denial Of Service Apache Struts
NVD
CVSS 2.0
5.0
EPSS
7.9%
CVE-2012-4386 Maven MEDIUM PATCH This Month

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
CVSS 2.0
6.8
EPSS
3.2%
CVE-2012-3526 MEDIUM This Month

The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service (server or application crash) via multiple X-Forwarded-For. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Apache Mod Rpaf
NVD
CVSS 2.0
5.0
EPSS
1.9%
CVE-2012-3467 Maven MEDIUM PATCH This Month

Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Qpid
NVD
CVSS 2.0
5.0
EPSS
1.1%
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Stack-based buffer overflow in the XML Signature Reference functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Buffer Overflow Denial Of Service Apache +2
NVD
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Apache Authentication Bypass Xml Security For C
NVD
EPSS 12% CVSS 5.0
MEDIUM POC PATCH THREAT This Month

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.3%.

Denial Of Service Apache Cxf
NVD Exploit-DB
EPSS 7% CVSS 4.3
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Physical network name to the Zone. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Cloudstack
NVD
EPSS 10% CVSS 6.4
MEDIUM PATCH This Month

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Cxf +5
NVD
EPSS 6% CVSS 10.0
CRITICAL PATCH Act Now

Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Ofbiz
NVD
EPSS 3% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Ofbiz
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Denial Of Service Apache +2
NVD
EPSS 1% CVSS 4.0
MEDIUM This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Apache +1
NVD
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via invalid PLCF data in a DOC document file. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Denial Of Service Apache +2
NVD
EPSS 44% 4.3 CVSS 7.5
HIGH POC THREAT Act Now

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 43.7%.

Apache Information Disclosure Http Server +1
NVD
EPSS 6% CVSS 7.1
HIGH PATCH This Week

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable.

Java Denial Of Service Apache +16
NVD
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Information Disclosure
NVD Exploit-DB VulDB
EPSS 92% 5.4 CVSS 5.8
MEDIUM POC PATCH THREAT This Month

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 92.0%.

Apache Open Redirect Struts
NVD Exploit-DB
EPSS 5% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Activemq
NVD
EPSS 83% 4.4 CVSS 9.3
CRITICAL PATCH Act Now

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Epss exploitation probability 83.0%.

Code Injection Apache RCE +1
NVD
EPSS 92% 6.1 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.5%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 5% CVSS 5.0
MEDIUM POC PATCH This Month

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Apache Null Pointer Dereference +2
NVD GitHub Exploit-DB
EPSS 8% CVSS 10.0
CRITICAL PATCH Act Now

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

IBM Code Injection Apache +3
NVD
EPSS 15% CVSS 7.5
HIGH PATCH Act Now

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.6%.

Deserialization Privilege Escalation Apache +2
NVD
EPSS 39% CVSS 4.3
MEDIUM POC THREAT This Month

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 38.6%.

Denial Of Service Apache Http Server +9
NVD
EPSS 88% 5.7 CVSS 8.1
HIGH POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 87.6%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 91% 6.1 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.1%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 92% 6.1 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.8%.

Code Injection Apache RCE +2
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Apache Solr Autocomplete module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Apachesolr Autocomplete
NVD
EPSS 40% CVSS 5.1
MEDIUM PATCH This Month

mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Epss exploitation probability 39.6%.

Apache Information Disclosure Http Server +9
NVD
EPSS 8% CVSS 2.6
LOW POC PATCH Monitor

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 10% CVSS 6.8
MEDIUM PATCH This Month

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Epss exploitation probability 10.4%.

Tomcat Apache Java +1
NVD
EPSS 45% CVSS 5.0
MEDIUM PATCH This Month

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 44.8%.

Tomcat Denial Of Service Apache
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Rsa Authentication Agent
NVD
EPSS 0% CVSS 2.1
LOW Monitor

EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Apache Microsoft Information Disclosure +4
NVD
EPSS 32% CVSS 5.0
MEDIUM POC THREAT This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 31.6%.

Buffer Overflow Denial Of Service Apache +1
NVD Exploit-DB
EPSS 15% CVSS 4.3
MEDIUM This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 15.3% and no vendor patch available.

Denial Of Service Apache Subversion
NVD
EPSS 44% CVSS 5.0
MEDIUM POC THREAT This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 44.3%.

Denial Of Service Apache Subversion
NVD Exploit-DB
EPSS 2% CVSS 4.0
MEDIUM This Month

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Apache +2
NVD
EPSS 2% CVSS 2.1
LOW Monitor

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Denial Of Service Apache +2
NVD
EPSS 12% CVSS 4.6
MEDIUM POC PATCH THREAT This Month

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 12.3%.

PHP Code Injection Apache +2
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Novell iManager 2.7 before SP6 Patch 1 allows remote attackers to hijack the authentication of arbitrary users by leveraging improper request. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat +1
NVD
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Denial Of Service Apache Authentication Bypass +1
NVD
EPSS 8% CVSS 5.0
MEDIUM PATCH This Month

The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Activemq
NVD
EPSS 3% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache Java XSS +1
NVD
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Information Disclosure Maven
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Apple mod_hfs_apple module for the Apache HTTP Server in Apple Mac OS X before 10.8.3 does not properly handle ignorable Unicode characters, which allows remote attackers to bypass intended. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Apple Authentication Bypass +2
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary. Rated low severity (CVSS 3.3).

Privilege Escalation Apache Commons Fileupload
NVD
EPSS 4% CVSS 5.0
MEDIUM PATCH This Month

The serializing/deserializing functions in the qpid::framing::Buffer class in Apache Qpid 0.20 and earlier allow remote attackers to cause a denial of service (assertion failure and daemon exit) via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Apache +1
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

Integer overflow in the qpid::framing::Buffer::checkAvailable function in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (crash) via a crafted message, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Buffer Overflow Denial Of Service Apache +1
NVD
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

The AMQP type decoder in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (memory consumption and server crash) via a large number of zero width elements in the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Qpid
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Qpid
NVD
EPSS 83% 4.8 CVSS 4.0
MEDIUM POC PATCH THREAT This Month

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 83.0%.

Apache Information Disclosure Rave
NVD Exploit-DB
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Cxf
NVD
EPSS 2% CVSS 5.8
MEDIUM PATCH This Month

The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Cxf
NVD
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

The Debian apache2ctl script in the apache2 package squeeze before 2.2.16-6+squeeze11, wheezy before 2.2.22-13, and sid before 2.2.22-13 for the Apache HTTP Server on Debian GNU/Linux does not. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity.

Privilege Escalation Apache Debian +1
NVD
EPSS 28% CVSS 4.3
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 28.2% and no vendor patch available.

Apache XSS Http Server +1
NVD
EPSS 10% CVSS 4.3
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 10.3% and no vendor patch available.

Apache XSS Http Server +1
NVD
EPSS 0% CVSS 1.5
LOW Monitor

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1). Rated low severity (CVSS 1.5). No vendor patch available.

Citrix Apache Authentication Bypass +2
NVD
EPSS 4% CVSS 4.3
MEDIUM PATCH This Month

Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Apache Cxf
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

The token processing system (pki-tps) in Red Hat Certificate System (RHCS) before 8.1.3 allows remote attackers to cause a denial of service (Apache httpd web server child process restart) via. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Denial Of Service Apache +1
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

The token processing system (pki-tps) in Red Hat Certificate System (RHCS) before 8.1.3 does not properly handle interruptions of token format operations, which allows remote attackers to cause a. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Denial Of Service Apache +1
NVD
EPSS 4% CVSS 10.0
CRITICAL PATCH Act Now

Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Cxf
NVD
EPSS 11% CVSS 5.0
MEDIUM POC THREAT This Month

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 11.5%.

PHP Apache Authentication Bypass +3
NVD Exploit-DB
EPSS 23% CVSS 2.6
LOW POC PATCH THREAT Monitor

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 22.8%.

Tomcat Denial Of Service Apache +1
NVD
EPSS 10% CVSS 4.3
MEDIUM PATCH This Month

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

CSRF Privilege Escalation Java +2
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat Privilege Escalation Apache +1
NVD
EPSS 14% CVSS 5.0
MEDIUM POC THREAT This Month

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%.

Tomcat Denial Of Service Apache +1
NVD
EPSS 26% CVSS 5.0
MEDIUM POC PATCH THREAT This Month

The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.0%.

Denial Of Service Apache Http Server +1
NVD
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Apache Munin
NVD
EPSS 12% CVSS 5.0
MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Tomcat Apache Authentication Bypass
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Privilege Escalation Apache
NVD
EPSS 20% CVSS 5.0
MEDIUM This Month

java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 20.3% and no vendor patch available.

Tomcat Denial Of Service Apache +1
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not verify that the server hostname matches a domain name in the. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Apache RCE Cxf
NVD
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Apache Information Disclosure Java +1
NVD
EPSS 2% CVSS 5.8
MEDIUM POC This Month

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products,. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Apache Information Disclosure Java +5
NVD
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Information Disclosure Java +2
NVD
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Information Disclosure Libcloud
NVD
EPSS 3% CVSS 10.0
CRITICAL Act Now

Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Citrix +1
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Ofbiz
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Axis2
NVD
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack.". Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Apache Authentication Bypass Axis2
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The Apache Santuario configuration in Eucalyptus before 3.1.1 does not properly restrict applying XML Signature transforms to documents, which allows remote attackers to cause a denial of service via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Denial Of Service Apache +1
NVD
EPSS 7% CVSS 5.0
MEDIUM This Month

Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Apache Qpid
NVD
EPSS 10% CVSS 4.3
MEDIUM PATCH This Month

Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache Information Disclosure Cxf
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Wicket
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the ISE Administrator user interface (aka the Apache Tomcat interface) on Cisco Identity Services Engine (ISE) 3300 series appliances. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the mod_pagespeed module 0.10.19.1 through 0.10.22.4 for the Apache HTTP Server allows remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Mod Pagespeed
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The mod_pagespeed module before 0.10.22.6 for the Apache HTTP Server does not properly verify its host name, which allows remote attackers to trigger HTTP requests to arbitrary hosts via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Mod Pagespeed
NVD
EPSS 8% CVSS 5.0
MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Denial Of Service Apache +1
NVD
EPSS 3% CVSS 6.8
MEDIUM PATCH This Month

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
EPSS 2% CVSS 5.0
MEDIUM This Month

The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service (server or application crash) via multiple X-Forwarded-For. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Apache Mod Rpaf
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Qpid
NVD
Prev Page 28 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy